From 21b1c52d1ef704f924adff13f595b5bc1edf1842 Mon Sep 17 00:00:00 2001
From: juju4 <juju4@users.noreply.github.com>
Date: Sun, 13 Aug 2017 16:18:13 -0400
Subject: [PATCH] forfiles, bash detection

---
 rules/windows/builtin/win_susp_process_creations.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml
index 114d0723..4ba1bc44 100644
--- a/rules/windows/builtin/win_susp_process_creations.yml
+++ b/rules/windows/builtin/win_susp_process_creations.yml
@@ -11,6 +11,7 @@ reference:
     - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
     - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
     - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
+    - https://twitter.com/vector_sec/status/896049052642533376
 author: Florian Roth
 logsource:
     product: windows
@@ -67,6 +68,8 @@ detection:
             - '*AddInProcess*'
             # NotPowershell (nps) attack
             - '*msbuild*'
+            - '*forfiles*'
+            - '*bash*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment